analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
File name:

Circular 032 Sancionados a Nivel Nacional Abril 24 RAD29000393_0291.uue

Full analysis: https://app.any.run/tasks/0ffd8624-5932-47dd-b7b8-3e4fd7e43a1e
Verdict: Malicious activity
Analysis date: July 18, 2019, 06:51:41
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Indicators:
MIME: application/x-rar
File info: RAR archive data, v4, os: Win32
MD5:

12DD8ED13DDE7594D9551A655BAFD169

SHA1:

A8F5211F71DC4B8170DCC40902B0D91A5AF48C92

SHA256:

DD766A3C69BC7E5B384540140EC3F383797AF109D07EA00F9EBFE173CB3863AE

SSDEEP:

12288:RpK1Cc55crUYZH/02h5YEFJjNBbeQ1W51kOfQK222:0Y1c2hVPeQ181pf6

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Application was dropped or rewritten from another process

      • Circular 032 Sancionados a Nivel Nacional Abril 24 RAD29000393_0291.exe (PID: 2612)

    • Writes to a start menu file

      • Circular 032 Sancionados a Nivel Nacional Abril 24 RAD29000393_0291.exe (PID: 2612)

    • Changes the autorun value in the registry

      • RegAsm.exe (PID: 3692)

  • SUSPICIOUS

    • Creates files in the user directory

      • Circular 032 Sancionados a Nivel Nacional Abril 24 RAD29000393_0291.exe (PID: 2612)

    • Executable content was dropped or overwritten

      • WinRAR.exe (PID: 2952)
      • Circular 032 Sancionados a Nivel Nacional Abril 24 RAD29000393_0291.exe (PID: 2612)

  • INFO

    • Manual execution by user

      • Circular 032 Sancionados a Nivel Nacional Abril 24 RAD29000393_0291.exe (PID: 2612)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.rar | RAR compressed archive (v-4.x) (58.3)
.rar | RAR compressed archive (gen) (41.6)

EXIF

ZIP

CompressedSize: 531457
UncompressedSize: 1084928
OperatingSystem: Win32
ModifyDate: 2019:04:24 08:15:28
PackingMethod: Normal
ArchivedFileName: Circular 032 Sancionados a Nivel Nacional Abril 24 RAD29000393_0291.exe
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
41
Monitored processes
3
Malicious processes
2
Suspicious processes
0

Behavior graph

Click at the process to see the details
start winrar.exe circular 032 sancionados a nivel nacional abril 24 rad29000393_0291.exe regasm.exe

Process information

PID
CMD
Path
Indicators
Parent process
2952"C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\admin\Desktop\Circular 032 Sancionados a Nivel Nacional Abril 24 RAD29000393_0291.uue.rar"C:\Program Files\WinRAR\WinRAR.exe
explorer.exe
User:
admin
Company:
Alexander Roshal
Integrity Level:
MEDIUM
Description:
WinRAR archiver
Exit code:
0
Version:
5.60.0
2612"C:\Users\admin\Desktop\Circular 032 Sancionados a Nivel Nacional Abril 24 RAD29000393_0291.exe" C:\Users\admin\Desktop\Circular 032 Sancionados a Nivel Nacional Abril 24 RAD29000393_0291.exe
explorer.exe
User:
admin
Company:
hvix64
Integrity Level:
MEDIUM
Description:
RtDCpl64
Exit code:
0
Version:
503.806.715.494
3692"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
Circular 032 Sancionados a Nivel Nacional Abril 24 RAD29000393_0291.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft .NET Assembly Registration Utility
Version:
2.0.50727.5420 (Win7SP1.050727-5400)
Total events
640
Read events
329
Write events
0
Delete events
0

Modification events

No data
Executable files
2
Suspicious files
0
Text files
2
Unknown types
0

Dropped files

PID
Process
Filename
Type
2612Circular 032 Sancionados a Nivel Nacional Abril 24 RAD29000393_0291.exeC:\Users\admin\AppData\Roaming\whoami\CredentialUIBroker.vbstext
MD5:D2569B1C5942ACAEF04A2073378C7D7D
SHA256:7A5B31BE749673F1F524FA423E17467A4878E28BB93B4AB6DF64C52A92E12D9F
2612Circular 032 Sancionados a Nivel Nacional Abril 24 RAD29000393_0291.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\CredentialUIBroker.urltext
MD5:8A61642B80314BA0377633B3A15C2391
SHA256:612667E00A80CB81CDFAADA321AAF63C59C058CEA1F924DC90DB3530850C18B4
2612Circular 032 Sancionados a Nivel Nacional Abril 24 RAD29000393_0291.exeC:\Users\admin\AppData\Roaming\whoami\CompMgmtLauncher.exeexecutable
MD5:76CFEA5E2ECE4E2F89E346930850B362
SHA256:9F7B8F7209D20F0024F74648357CE726A2CB07CD525D5A84FC113DA07A9C5141
2952WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRa2952.24295\Circular 032 Sancionados a Nivel Nacional Abril 24 RAD29000393_0291.exeexecutable
MD5:C9C8275280D0523859ADADF1CF5501D9
SHA256:55BED4C0C354975F4B778AF43227D334D8D8ED89E6A4405E35F649EB7AF4C5F5
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
0
TCP/UDP connections
12
DNS requests
5
Threats
0

HTTP requests

No HTTP requests
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
3692
RegAsm.exe
186.85.86.196:1407
hospisanjose.publicvm.com
Telmex Colombia S.A.
CO
malicious

DNS requests

Domain
IP
Reputation
hospisanjose.publicvm.com
  • 186.85.86.196
malicious
dns.msftncsi.com
  • 131.107.255.255
shared

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2024 ANY.RUN LLC. ALL RIGHTS RESERVED
ANY.RUN
Reports
Circular 032 Sancionados a Nivel Nacional Abril 24 RAD29000393_0291.uue